Hackers Show How Simple It Is to Hack ATMs for Free Cash

This was done by using a special button sequence and some knowledge. They supposedly made the ATM’s believe that they were distributing 1 dollar bill bills instead of 20 dollar bills that were actually dispensed by the cash trays. Thus a withdrawal of 20$ made the machine withdraw 400$ in cash, giving a profit of 380$ as the first 20$ were withdrawn from their own bank accounts as they were using their own ATM cards.

As charged, the stunt is an unusually successful example of a low quality ATM hack used for minor theft in the past. It shows vulnerabilities in the ATM machines made by the Tranax technologies and Trident which were showcased in a legendary ATM jackpotting demonstration delivered at the Black Hat conference in 2010 by security researcher Barnaby Jack.

Criminals at the street level have found another weakness in the machines which requires no software or gear. These machines (kiosk ATM’s) can be placed into an operator mode by simply pressing a sequence of buttons on the keypad. From this mode the number of variables can be manipulated like the number of bills loaded in the machines currency cartridges. This mode is secured by a secret six digit code which one of the defendants Fattah already knew, as he used to work for a company that operated the machines.

In 2005 it was discovered that the factory set master passcodes of the machines were printed inside the service manuals which were available online. These manuals advised the users to change the passcode on their first use but many small business owners never made the change. This led to a unique phenomenon of having as a street crime. The scheme went viral in 2006 when a man was looting an ATM at a Virginia gas station and was caught through the video of the surveillance camera.

After that the Trinton and Tranax made changes in the programming of the machines which forced the user to change the passcode on the first use. Machines that were already in use were still vulnerable and many reports of new crimes came in repeatedly. In 2007 a convenience store in Pennsylvania was hit for 1,540$ by an unidentified man in shorts. In 2008 the Lobo’s City Mex in Lincoln were hit for 1400$ by two 21 year old men in three different visits but were caught on the 4th In 2010 a man who worked in a grocery store was turned in to the FBI by a coworker as he was planning to loot 30 different ATM’s while wearing a wig and he was sentenced to 37 months in jail.

Take away message:

Cambridge University (Ross Anderson) has openly and vocally criticised the lack of banking security.

DO NOT use “CONTACTLESS” payment cards…

The bank’s response to Ross Anderson was simply to threaten him for exposing their poor security. It’s like a Monty Python script.